FW Gold - Content Restriction on iPhone, through VPN

Comments

10 comments

  • Avatar
    MattT

    This sounds like a good idea (other than they could just turn the VPN off?)... did you get it working?

    Have been using Circle (free version for basic domain blocking) and was looking at Qustodio... but wondered how you'd found the approach you mention.

    0
    Comment actions Permalink
  • Avatar
    MattT

    @firewalla - would love for you guys to be able to extend firewalla to mobile devices... it's such hard work as a parent trying to protect teenagers - despite having excellent dialogue with the kids, it's just impossible to get on top of the curiosity of a teenagers mind, but they simply don't have the restraints in place to constantly make so many good decisions in the barrage of all that's now available online

    0
    Comment actions Permalink
  • Avatar
    Stoopalini

    I now have the Firwalla Gold installed at home, and it's working great ... but I haven't experimented with VPN yet.

    We've been using BARK on the kid's iPhones, and it's great. It's a paid service, but well worth it. It also works on a VPN, but will notify me if the kid turns VPN off.

    We also use ScreenTime on the phones as well.

    So Bark + ScreenTime provides great content filtering, notification alerts, as well as remote control (ie: ability to disable all data remotely) for the phone while Firewalla is providing content filtering on home devices.

    It would be nice if the two could be merged.

    0
    Comment actions Permalink
  • Avatar
    Ben Someone

    Your only real option for controlling mobile devices (with their own data plans) is to install 3rd party software like Stoop uses, and this only works (in the midterm run) if you're the admin of their phones and they are not, in the long run this only stops someone who is mildly curious. If the kid wants to access a certain thing, they will be able to do so with enough effort as a teenager with the internet pretty much everywhere now.  

    To (unofficially) answer your question about VPN control: Once a device connects to the VPN on the firewalla box it's controlled as though it was on the local network with whatever restrictions you've got set up*. 

     

    *Note that Firewalla like other firewalls identifies devices by their "mac address",  a mac address is (in theory) a specific device ID that identifies a network interface.  This *can* be "changed" with certain software which would cause the device to appear as a new device, if you're blocking teens you'd be well advised to enable new device quarantine.  Of note, some new phones (iOS 14 and pixel 5a for example for future searchers) come from the factory with the setting enabled that randomizes your mac address every time you connect to a wifi network, so you have to manually go in and disable it under advanced settings or you'll end up with multiple devices that are really just one physical device.

    0
    Comment actions Permalink
  • Avatar
    Matt Hemker

    "I also can't determine if the VPN connection will enforce the content restrictions.controls onto the remote device."

    This is also my question.  I have now established a VPN Server on my Firewalla Blue+ using Wireguard.  I wish to install the client onto my teenage son's phone so that all traffic then gets routed through the Firewalla.  But, in testing on my own phone, I cannot seem to apply the content restrictions (Rules) that I have setup on my son's profile when connected to the VPN.  They only apply when he is connected locally to the network.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @matt, the best is to try 1.973 beta; This version can see all the wireguard devices and you can apply rules to each device on the wireguard network.  https://help.firewalla.com/hc/en-us/articles/4403336151827-Firewalla-Box-Release-1-973-App-Release-1-47

    0
    Comment actions Permalink
  • Avatar
    mobius strip

    @Ben Someone

    Note that Firewalla like other firewalls identifies devices by their "mac address",  a mac address is (in theory) a specific device ID that identifies a network interface.  This *can* be "changed" with certain software which would cause the device to appear as a new device, if you're blocking teens you'd be well advised to enable new device quarantine.  Of note, some new phones (iOS 14 and pixel 5a for example for future searchers) come from the factory with the setting enabled that randomizes your mac address every time you connect to a wifi network, so you have to manually go in and disable it under advanced settings or you'll end up with multiple devices that are really just one physical device.

    You can largely deal with these concerns by

    • Turning on auto blocking of devices detected to use MAC randomization (on the Firewalla Gold at least…and probably Firewalla purple model as well).
    • Putting the children’s devices on their own SSID and associated VLAN on a WiFi access point and then create the firewall rules and schedules etc. accordingly (and don’t tell them the password for your other SSIDs on the other VLANs on your AP)
    0
    Comment actions Permalink
  • Avatar
    M

    Hello. I have the exact same situation where I would like to apply rules while kids are away. I set up Wireguard VPN so that kids' phones connect to Firewalla via VPN as soon as they leave the house. May I understand that the rules set for their phones (or group) do not apply when their phone are connected via VPN? The rules show blank for their VPN profiles uner devices; May I understand that I need to set the rules separately for their VPN profiles? It would be nice if the group can include VPN connections.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    You should see VPN devices under the WireGuard network segment. Or directly create a rule over that device. This is only useful for WireGuard, you can do it per device. 

    0
    Comment actions Permalink
  • Avatar
    M

    Yes I do. So the rules I created for the device (connected locally) do not apply to the same device that is connected via Wireguard, correct?

    0
    Comment actions Permalink

Please sign in to leave a comment.